Scrub All Inputs
Any time an application receives data, from any source, you should assume that the data is unclean and needs to be sanitized. Scrub incoming data to eliminate anything that appears to be program logic or an executable, even if execution would occur elsewhere. The cleaning process is complex and requires searching for and removing certain character sequences that could enable vulnerabilities. When an application "scrubs" inputs or goes through this cleaning process, the exposure to attacks like XSS and SQLi comes down considerably. To take it one extra step, by defining a character set (a collection of ASCII characters that a valid input would have), you take that exposure to almost zero.
A strong web application firewall (WAF) input policy specifies exactly what characters your application expects across each of its inputs. If your application is expecting a product ID number consisting of 12 numbers, then a WAF input policy would at the very least remove control characters and punctuation. A strong WAF input policy would constrain the product ID to only accepting 12 characters as input, and those 12 would have to be numerals - anything else should throw an error. You should be scrubbing data any time you accept it from end users or external services.